'Thousands of servers' are expected to still be vulnerable in a decade. Photo: Mashable
That's according to an updated report from security researchers at Errata Security. Errata published updated findings, found by simply scanning port 443 on servers across the web looking for vulnerabilities, to its blog on Saturday.
The company returned with 309,197 results of servers that are still vulnerable to the bug. When Errata ran the same port scan in May, it came back with 318,239 vulnerable servers. That means that in the last 30 days, only 9,000 servers have been patched. As Errata's Rob Graham notes, "this indicates people have stopped even trying to patch."
Heartbleed, as you may recall, is the name for the massive OpenSSL exploit that left huge portions of the web vulnerable. The way Heartbleed works, attackers could grab important information from a vulnerable server, including encryption keys that could unlock access to usernames, passwords and other data that should be encrypted. The bug sat dormant for nearly two years before being uncovered in April.
Graham writes that he expects to see a slow decrease in vulnerable servers over the next decade, as older systems are replaced. Still, he expects to find thousands of systems — "including critical ones" — vulnerable a decade from now.
Graham's port scanning process isn't perfectly accurate, and more servers could be vulnerable than what he has scanned. It's also difficult to assess the importance of each server that remains vulnerable. Within 10 days of Heartbleed becoming public, the top 1,000 sites of the web properly patched themselves.
The momentum largely carried for the next month, with more website owners updating their software and reissuing security certificates.
Still, there are systems that will never be patched. This isn't just true for web servers, an unknown number of embedded devices — including some Android smartphones — are vulnerable to Heartbleed and will almost certainly never see a patch.
So should you be worried? For the next six to 12 months, it may be a good idea to install a Heartbleed detector plugin in your web browser (like this one), just in case you come across a server that wants important information (such as banking data) that hasn't been patched.
The reality is, however, that Heartbleed is just one of many vulnerabilities that often exist unpatched in the wild. If you want to make yourself paranoid, consider the number of computer systems, ATMs and payment terminals that are still running some variation of Windows XP. Even on the ecommerce side of things, being patched for Heartbleed doesn't guarantee that a site has its other security software up-to-date.
The best a consumer can do is be mindful of what he can control. That means using unique passwords, two-factor authentication when available and preferably a secure password manager.
Mashable is the largest independent news source covering digital culture, social media and technology.